Veracode (via Ars) says Pandora does, in fact, send your Android ID, date of birth, gender and GPS location to a number of ad companies.
The app integrates with Google.ads, AdMarvel, AdMob, comScore and Medialets.
Writes Veracode:
The analysis into the remaining libraries resulted in even more of the same. The SecureStudies library accesses the android_id and directly sends a hash of the data to [ link ] while the Medialets library accesses the device’s GPS location, bearing, altitude, android_id, connection status, network information, device brand, model, release revision, and current IP address.
[Y]our personal information is being transmitted to advertising agencies in mass quantities. In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person's life... When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.